Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

splunk forwarder : Remote login has been disabled for 'admin' with the default password. How to login or reset password?

mikki
Explorer
‎06-13-2024 02:47 PM

Upgraded universal splunk universal forwarder from 9.0.2 to 9.1.0. 

./splunk list monitor gives me the following error with default password : "Remote login has been disabled for 'admin' with the default password. Either set the password, or override by changing the 'allowRemoteLogin' setting in your server.conf file." for the first time.

./splunk edit user admin -password <newpassword> -auth admin:changeme

tried above command to reset default password: still gives me : "Remote login has been disabled for 'admin' with the default password. Either set the password, or override by changing the 'allowRemoteLogin' setting in your server.conf file."

Looking for any answers.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

P_vandereerden
Splunk Employee
Splunk Employee
‎06-13-2024 04:18 PM

Have you tried the second option (allowRemoteLogin)? I can't say I've seen this myself, but it could be that you need to temporarily change that setting to get around the default password problem. If that works, then once you've changed your password, you should be able to revert the allowRemoteLogin setting.

The following should help for values:

# The following 'allowRemoteLogin' setting controls remote management of your splunk instance.
#  - If set to 'always', all remote logins are allowed.
#  - If set to 'never', only local logins to splunkd will be allowed. Note that this will still allow
#    remote management through splunkweb if splunkweb is on the same server.
#  - If set to 'requireSetPassword' (default behavior):
#     1. In the free license, remote login is disabled.
#     2. In the pro license, remote login is only disabled for the admin user that has not changed their default password
Paul van der Eerden,
Breaking software for over 20 years.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

mikki
Explorer
‎06-13-2024 08:37 PM

setting "allowRemoteLogin" in server.conf did allow default password and then I changed the password using above ./splunk edit user ...

Thanks.

0 Karma
Reply
Solved! Jump to solution
Solution

P_vandereerden
Splunk Employee
Splunk Employee
‎06-13-2024 04:18 PM

Have you tried the second option (allowRemoteLogin)? I can't say I've seen this myself, but it could be that you need to temporarily change that setting to get around the default password problem. If that works, then once you've changed your password, you should be able to revert the allowRemoteLogin setting.

The following should help for values:

# The following 'allowRemoteLogin' setting controls remote management of your splunk instance.
#  - If set to 'always', all remote logins are allowed.
#  - If set to 'never', only local logins to splunkd will be allowed. Note that this will still allow
#    remote management through splunkweb if splunkweb is on the same server.
#  - If set to 'requireSetPassword' (default behavior):
#     1. In the free license, remote login is disabled.
#     2. In the pro license, remote login is only disabled for the admin user that has not changed their default password
Paul van der Eerden,
Breaking software for over 20 years.
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...